I’m new to developing with the Facebook API, so thank you in advance for your patience in helping me resolve my problem.

I’m using the Facebook PHP SDK 3 that checks for the state token and user token code to verify authentication, but it seems like it only works when I hit the app through Facebook.

Step by step in more detail:

(1) Delete Application Permissions > To start fresh and try to troubleshoot I login to Facebook and delete my user access for the application so that I will get prompted to accept the permissions again.

(2) Refresh Web App > Then I refresh my application and it doesn’t know that I have a Facebook session!

Shouldn’t the application be able to at least see my Facebook user id when I’m logged in to Facebook?

Did deleting the application from my user cause the application to lose all access?

(3) Logout of Facebook, Refresh App > Since this doesn’t work I log out of Facebook and refresh my web app to start over.

Generate the Facebook Login or Logout link based on $user information

public function run(){

  $FB = &$this->getFacebook();
  $user = $FB->getUser();

  $user_dat = $FB->api('/me');
  $logoutUrl = $FB->getLoginUrl(array('scope'=> $fbPermissions,'redirect_uri'=> $appBaseURL)); 
  $loginUrl = $FB->getLogoutUrl();

    ?>
    <h1>php-sdk</h1>

    <?php if ($user): ?>
      <a href="<?php echo $logoutUrl; ?>">Logout</a>
    <?php else: ?>
      <div>
        Login using OAuth 2.0 handled by the PHP SDK:
        <a href="<?php echo $loginUrl; ?>">Login with Facebook</a>
      </div>
    <?php endif ?>
    <?php if ($user): ?>
      <h3>You</h3>
      <img src="https://graph.facebook.com/<?php echo $user; ?>/picture">
      <h3>Your User Object (/me)</h3>
      <pre><?php print_r($user_dat); ?></pre>
    <?php else: ?>
      <strong><em>You are not Connected.</em></strong>
    <?php endif ?>
<?php   } ?>

(4) Click Generated Login Link > The FB login link is generated on my web application (outside of Facebook) I click it and redirects me to Facebook to login.

Generated Login URL

https://www.facebook.com/login.php?
api_key=112233445566778
&skip_api_login=1
&display=page&
cancel_url=http://www.mywebapp.com/app/beta/?error_reason=user_denied&error=access_denied
&error_description=The+user+denied+your+request.
&state=99ff88cc33dd77aa11bb00cc2266dd11
&fbconnect=1
&next=https://www.facebook.com/connect/uiserver.php?method=permissions.request
&app_id=112233445566778
&display=page
&redirect_uri=http://www.mywebapp.com/app/beta/?response_type=code&state=99ff88cc33dd77aa11bb00cc2266dd11
&fbconnect=1
&perms=user_about_me,user_activities,user_likes,email,user_online_presence,read_friendlists,manage_notifications,publish_stream
&from_login=1
&rcount=1

(5) Login to Facebook, Allow App Permissions > I Login and then it then asks me to allow permissions to my application, which I do by clicking ‘Allow’ and Facebook redirects me back to my application with this URL.

http://www.mywebapp.com/app/beta/?
code=ABCxxx
&state=b3f5efffc496b3f5efff38e32604e3

However when I get back to the application my server error logs spit up an error message:

[error] ***CSRF state token does not match one provided.***

And the application thinks that I’m still not logged in, and doesn’t display any user information!

It looks like the application’s state token does not match the one returned from Facebook after the user accepts the applications permissions via Ouath.

In this case the state token I sent over as part of the login link was:

state=9655d77aa198fc0a29774694134dd0c7

but then facebook redirected me back to my application with this state token!

state=b3f5efffa4169f3c4b816838e32604f5

The token I sent over actually looks like the token from the previous session, so I was thinking maybe I need to clear the session information before logging in again. This doesn’t seem to happen within the Facebook SDK, so do I need to implement this myself?

(6) Refresh Web App in Facebook > Then to just make sure I’m not crazy I go to Facebook and see that I am logged in, and then I hit the web app through facebook

http://apps.facebook.com/mywebapp/

and what do you know, my application is showing all of my user info, user access token and everything from within Facebook, however =/

(7) Refresh Standalone App > I then go back to my webapp — refresh it — and now it has all the info as well!

What is wrong that I cannot login through my application using the PHP SDK?

Why can’t my application see a Facebook User id when they’re not on the app?